Splunk Search

eval command

dbcase
Motivator

Ok I'm feeling kinda stupid

this query works

index=wholesale_app buildTarget=comcast analyticType=SessionStart   |eval hardwaretype=Properties.platformData.HC|stats count by Properties.platformData.HC

but this one dosen't

index=wholesale_app buildTarget=comcast analyticType=SessionStart   |eval hardwaretype=Properties.platformData.HC|stats count by hardwaretype

Scratches head ------ what am I missing?

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The fieldname you're using in stats in first query is Properties.platformData.HC which exists and stats works. The eval here may not be doing anything as |eval hardwaretype=Properties.platformData.HC is basically trying to concatenate values of fields Properties with field platformDate and field HC. The dot there is treated as concatenation operator. Assuming you don't have fields Properties,platformDateandHCin your data, the eval fails to populate field hardware type. That's why the second search failed.
You should either use the field
Properties.platformData.HCin your stats like query 1 OR enclose theProperties.platformData.HC` in single quotes in eval, like this:

index=wholesale_app buildTarget=comcast analyticType=SessionStart    |eval hardwaretype='Properties.platformData.HC'|stats count by hardwaretype

View solution in original post

cmerriman
Super Champion

When you take out the stats command, does hardwaretype come back as a field with values?
Can you try |eval hardwaretype='Properties.platformData.HC' or |rename "Properties.platformData.HC" as hardwaretype

dbcase
Motivator

Hi Cmerriman,

without the single quotes hardware model just comes back as blank/null

once the single quotes were added things started working as expected.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The fieldname you're using in stats in first query is Properties.platformData.HC which exists and stats works. The eval here may not be doing anything as |eval hardwaretype=Properties.platformData.HC is basically trying to concatenate values of fields Properties with field platformDate and field HC. The dot there is treated as concatenation operator. Assuming you don't have fields Properties,platformDateandHCin your data, the eval fails to populate field hardware type. That's why the second search failed.
You should either use the field
Properties.platformData.HCin your stats like query 1 OR enclose theProperties.platformData.HC` in single quotes in eval, like this:

index=wholesale_app buildTarget=comcast analyticType=SessionStart    |eval hardwaretype='Properties.platformData.HC'|stats count by hardwaretype

dbcase
Motivator

interesting so the dot has dual purpose? Meaning the only way I know how to refer to a json object that has multiple levels is

level1.level2.level3

and the dot is used for concatenation as well

thats not confusing at all 🙂

Thanks Somesoni2!!! Saved large clumps of my hair 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...